Re: dnssec: resolver - application communication

[David Blacka <davidb@verisignlabs.com>]

On Tuesday 11 May 2004 3:56 pm, Michael Richardson wrote:
> >>>>> "David" == David Blacka <davidb@verisignlabs.com> writes:
>     >> If I ask: c.b.example. CD=1
>     >>
>     >> and my resolver fails to validate b.example, does it continue?
>
>     David> Yes.
>
>     >> Consider the question again from the point of view of a broken NS
>     >> (vs a broken DS).
>
>     David> What do you mean by "broken"?
>
>   If example. has only lame NS records for b.example. then one can't get
> c.b.example.

Right.  No one can.

>   Now, if the DS records that example. has are broken in some way (wrong
> hash, SIG over them expired, etc.) how is this different than if the NS
> records are broken?

Validation failure can be ignored, and is with CD=1.  A lame delegation cannot 
be ignored.

>     David> My point is that SASRs do not need to bypass their full
>     David> resolver, nor do they need to get the entire validation chain
>     David> back in one round trip.  I am not making a statement as to
>     David> what security aware resolvers should return to applications.
>
>   I'm not in the camp that wants to bypass.
>
>   If CD=1 will work the way that you describe (I have little experience
> with it at this point, btw), then it is possible that one can do what I
> want.

I was only talking about how SASR should work in general, so, at this point, I 
think that we are talking about different things.

>   However, since I want to do it on EVERY lookup (successful *OR*
> failed), it seems a waste.  Since I expect SASRs to primarily use a
> local channel to talk to security-aware full resolvers (SAFRs?
> pronounced like Safron maybe. Or is there a better term already), I
> don't understand the objection to having all of the records returned.
>   This is a local matter (i.e. not necessarily for the IETF to care
> about, or standardize), except to the extent that reusing as much of DNS
> as possible makes sense. I.e. I'm imagining an EDNSx to enable this.

I have not been objecting to the concept of returning the entire query chain 
as an alternative to SERVFAIL.  I've mostly been objecting to the (possibly 
misread on my part) concept of how SASRs should work.

I am curious as to what sort of local channel you expect SASR to talk to the 
SAFR (to use your abbrev.)?  Why do you expect it to be something other than 
DNS with TSIG?  I would posit that most of the time, the SAFR will not be on 
the same host, just a full resolvers are usually not on the same host as the 
stub.

-- 
David Blacka    <davidb@verisignlabs.com> 
Sr. Engineer    VeriSign Applied Research